Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

For want of a CVE

At a security conference this week, researchers complained about MITRE’s handling of new vulnerabilities and the difficulties of getting a CVE assigned. At AusCERT this week, security researcher David Jorm said it’s gotten so bad that he’s started creating workarounds to the problem such as creating his own website to get the word out about […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on For want of a CVE

 

Podcast: ISO 26262 compliance through software testing

Standards are, without a doubt, important in any industry. Swipe your credit card at the cash register, and behind scenes there’s PCI DSS safeguarding how the credit card information is processed and stored. For wireless communications, there’s IEEE 802. And for the automotive industry, there’s ISO 26262, a standard which covers electronic systems in automobiles […]

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on Podcast: ISO 26262 compliance through software testing

 

New risk assessments for old medical device security flaws

On Wednesday, representatives from MITRE proposed risk assessments for medical devices using existing frameworks. Presenting at SOURCE Boston Penny Chase and Steve Christey Coley, of the MITRE Corporation noted that that medical devices incorporate the use of third-party software, operating systems, and workstations; are subject to regulation, which can limit ability to patch and reconfigure […]

Continue Reading...

Posted in Medical Device Security | Comments Off on New risk assessments for old medical device security flaws

 

SEC warns on financial services cybersecurity risks

According to the US Securities and Exchanges Commission chair, cyber hacking is the biggest risk facing the world’s financial markets today. US SEC Chair Mary Jo White made her comments Wednesday at a conference organized by the Reuters news service. She specifically cited the March 2016 theft of $81 million from the Bangladesh central bank. […]

Continue Reading...

Posted in Financial Services Security, Software Architecture and Design | Comments Off on SEC warns on financial services cybersecurity risks

 

Serious Symantec AV engine vulnerability to be patched

Google Project Zero Researcher Tavis Ormandy disclosed a Remote Heap/Pool memory corruption vulnerability in all versions of Symantec and Norton branded Antivirus products. In a forum post said that the way the Symantec filter works, just emailing a compromised file or sending a compromised link to a victim is enough to exploit the vulnerability, CVE-2016-2208. […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Serious Symantec AV engine vulnerability to be patched

 

Backdoor vulnerability affects Chinese ARM-based prototyping devices, others

Researchers have found that a Chinese chip manufacturer for low-cost Android tablets, set-top boxes, ARM-based PCs, and other devices has shipped a vulnerable Linux kernel in its latest product. The operating system 3.4 legacy Linux kernel for H3/A83T/H8 produced by Allwinner, a Chinese system-on-chip company, apparently contains a serious vulnerability that can produce local privileges […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Backdoor vulnerability affects Chinese ARM-based prototyping devices, others

 

Privilege escalation vulnerability hits Lenovo Solution Center software

There is a serious privilege escalation vulnerability in software that is included with every Lenovo laptop. Fortunately, the company has now released a patch. According to the company, the Lenovo Solution Center (LSC) is a software application created by Lenovo that allows users to perform diagnostic functions and quickly identify the status of PC system […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Privilege escalation vulnerability hits Lenovo Solution Center software

 

ImageMagick vulnerability could allow remote attacks using malformed image files

A vulnerability in a popular software suite used to resize and re-produce image files in a variety of file formats could also allow remote command execution on a compromised web site. Security researchers last week discovered a heap overflow and an out-of-bounds read bug in ImageMagick, a software suite used to create, edit, compose, or […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on ImageMagick vulnerability could allow remote attacks using malformed image files

 

Podcast: Software security and the connected car

Today the average new car has more lines of software code than has the Hubble Space Telescope, a Boeing 787 Dreamliner, and all the source code on your favorite social media app, Facebook, combined. And that’s just the beginning. In the not so distant future, your car will become no less than a mobile data […]

Continue Reading...

Posted in Automotive Security | Comments Off on Podcast: Software security and the connected car

 

6 years later, ‘Stuxnet’ vulnerability remains exploited

In a recent report, Microsoft found that among the exploit-related malware families it detected during 2015 was a six-year vulnerability that was well-publicized. Back in 2010, security researchers traced a series of hardware-specific infections to a piece of malware dubbed Stuxnet. This malware lay dormant on Windows machines unless there was also access to a […]

Continue Reading...

Posted in Critical Infrastructure Security, Internet of Things | Comments Off on 6 years later, ‘Stuxnet’ vulnerability remains exploited